cloak.business

ISO 27001 Annex A: How cloak.business Addresses 14 Control Domains

A practical guide to ISO 27001:2022 compliance for PII protection.

February 28, 202610 min read

Why ISO 27001 Matters for PII Protection

ISO 27001:2022 is the international standard for information security management systems (ISMS). While GDPR and HIPAA mandate what data to protect, ISO 27001 provides the framework for how to protect it systematically.

Annex A defines 14 control domains covering everything from access control and cryptography to incident management and compliance. Organizations seeking certification must demonstrate implementation of applicable controls through a Statement of Applicability (SoA).

This guide maps each Annex A domain to specific cloak.business features and infrastructure, showing how a PII protection platform can serve as a key component of your ISMS.

Annex A Control Domain Mapping

A.5

Information Security Policies

Management direction and support for information security in accordance with business requirements and relevant laws.

cloak.business maintains documented security policies covering data classification, access control, and incident response, published in our compliance documentation.Learn more
A.6

Organization of Information Security

Internal organization, roles, responsibilities, and management of mobile devices and teleworking.

Security roles defined across the development and operations team. Security responsibilities are documented with awareness of PII handling and incident reporting obligations.
A.7

Human Resource Security

Security aspects for employees joining, during employment, and when leaving the organization.

Access to production systems is restricted to authorized personnel. Security awareness covers PII handling, incident reporting, and compliance obligations.
A.8

Asset Management

Identification of information assets and definition of appropriate protection responsibilities.

The entity library covers ~320 entity types across 70+ countries — each classified by sensitivity level, region, and applicable regulations. Assets are inventoried and tagged for appropriate handling.Learn more
A.9

Access Control

Business requirements for access control, user access management, and system and application access control.

Role-based access control with mandatory 2FA (TOTP). Zero-knowledge login option for maximum privacy. Session management with configurable timeouts. Complete login audit logging tracks all authentication attempts.Learn more
A.10

Cryptography

Cryptographic controls to protect the confidentiality, authenticity, and integrity of information.

AES-256-GCM for reversible encryption, XChaCha20-Poly1305 for desktop vault, Argon2id for key derivation. All data encrypted at rest and in transit (TLS 1.3). Client-side encryption available via SDK.Learn more
A.11

Physical and Environmental Security

Prevention of unauthorized physical access, damage, and interference to facilities and equipment.

Infrastructure hosted at Hetzner's ISO 27001-certified data center in Falkenstein, Germany. Hetzner provides physical access controls, surveillance, redundant power, and environmental protections as part of their certification.Learn more
A.12

Operations Security

Operational procedures, protection from malware, backup, logging, and monitoring.

Automated health checks every 5 minutes with auto-restart. Systemd service isolation with memory limits (MemoryHigh/MemoryMax per service). Comprehensive audit logging for all API operations.
A.13

Communications Security

Network security management and information transfer security.

All external communications over TLS 1.3. Internal service communication on localhost only. UFW firewall with deny-by-default policy. Rate limiting on all public endpoints. All PII processing occurs on German infrastructure.
A.14

System Acquisition, Development, and Maintenance

Security requirements for information systems, secure development, and test data.

317 custom pattern recognizers with checksum validation and format verification. CI/CD pipelines with automated testing. Dependency scanning and version pinning. Separate development, staging, and production environments.
A.15

Supplier Relationships

Information security in supplier relationships and service delivery management.

Minimal third-party dependencies by design. Infrastructure provider (Hetzner) is ISO 27001 certified. No data shared with third parties for processing — all PII detection and anonymization happens on our own infrastructure.
A.16

Information Security Incident Management

Management of information security incidents, including reporting and response.

Login audit logging tracks all authentication attempts with IP, user agent, device type, and failure reasons. Suspicious IP detection with configurable thresholds. 90-day log retention with automated cleanup.Learn more
A.17

Business Continuity Management

Information security continuity and redundancies for availability.

Systemd auto-restart on failure with 10-second delay. Memory-aware language model loading prevents OOM. 4GB swap as safety net. Health monitoring with automated recovery.
A.18

Compliance

Compliance with legal and contractual requirements, and information security reviews.

GDPR compliant with German data residency. Data Processing Agreement (DPA) available for enterprise customers. Statement of Applicability (SoA) documented and available.Learn more

Key Implementation Highlights

Cryptography (A.10)

Three encryption algorithms cover different use cases: AES-256-GCM for reversible PII encryption, XChaCha20-Poly1305 for local vault storage, and Argon2id for key derivation. All data encrypted at rest and in transit.

Access Control (A.9)

Mandatory 2FA with TOTP, zero-knowledge login option, and complete login audit logging. Every authentication attempt is recorded with IP, user agent, device type, and failure reason.

Asset Management (A.8)

~320 entity types across 70+ countries, each classified by sensitivity level and applicable regulations. The entity library serves as a comprehensive data asset inventory for PII.

Incident Management (A.16)

Login audit logging with suspicious IP detection, automated health monitoring every 5 minutes, and 90-day log retention with automated cleanup.

ISO 27001:2022 Updates

The 2022 revision restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes: Organizational, People, Physical, and Technological. The original domain concepts (A.5–A.18) were reorganized into this new structure, though the underlying security objectives carry forward.

New controls particularly relevant to PII protection include:

  • A.5.7 Threat intelligence — Monitoring for new PII attack vectors and data breach patterns
  • A.8.11 Data masking — Core functionality of cloak.business with 5 anonymization methods
  • A.8.12 Data leakage prevention — Chrome extension and Office Add-in intercept PII before it leaves the organization
  • A.8.24 Use of cryptography — AES-256-GCM, XChaCha20-Poly1305, and Argon2id implementations

Key Takeaways

  • ISO 27001 provides the "how" — While GDPR says what to protect, ISO 27001 provides the systematic framework
  • All 14 domains are addressed — From policies and access control to cryptography and compliance
  • PII protection is central to ISMS — A dedicated PII tool covers data masking, encryption, access control, and audit logging
  • German infrastructure supports compliance — ISO 27001-certified data center, EU data residency, no third-party data sharing

Limitations and When to Seek Additional Controls

While anonymization addresses many ISO 27001 Annex A controls related to data confidentiality and privacy, it is not a complete information security program. Controls around physical security (A.11), access management (A.9), incident response (A.16), and business continuity (A.17) require independent processes that anonymization alone cannot satisfy. ISO 27001 certification requires demonstrating all applicable Annex A controls through a statement of applicability, not just data processing controls.

The mapping presented here reflects guidance as of ISO/IEC 27001:2022. The standard undergoes periodic revision, and organizations should verify that their ISMS documentation references the current control numbering. Controls that were reorganized between the 2013 and 2022 editions (particularly in the asset management and cryptography categories) may require mapping updates in existing ISMS documentation.

Anonymization is most defensible under ISO 27001 when it is documented as a formal control with evidence — configuration settings, entity lists, confidence thresholds, operator assignments, and audit logs. Informal or undocumented anonymization processes are difficult to include in a statement of applicability and may not satisfy auditor requirements for objective evidence of control effectiveness.

Sources

Related Posts

EU AI Act 2026: Data Anonymization Requirements Guide

EU AI Act August 2026: Art. 10 + GPAI Art. 53 anonymization guide. 5-step workflow, tools comparison, and GDPR mapping for high-risk AI systems.

Read More

When SaaS-Only Isn't Enough

Air-gapped networks and EU AI Act data sovereignty requirements need offline PII processing. When SaaS PII tools can't be used — and what to use instead.

Read More

Ready to Protect Your Data?

Start detecting and anonymizing PII in minutes with our free tier.